In brief

This data privacy update addresses the amendments to the Personal Data Protection Act, the changes to the Spam Control Act, the publication of the Cyber Security Agency of Singapore (CSA)’s report on the Singapore Cyber Landscape in 2020, and the proposed new licensing framework for cybersecurity service providers.


  1. Singapore: Amendments to the Personal Data Protection Act in force
  2. Mandatory data breach notification
  3. Financial penalty cap to increase to 10% of annual turnover
  4. Singapore: Changes to the Spam Control Act
  5. Singapore: Cyber Security Agency of Singapore (CSA) publishes report on Singapore Cyber Landscape in 2020
    1. Ransomware
    2. Phishing incidents
    3. Cyber hygiene
  6. Singapore: proposed new licensing framework for cybersecurity service providers

Singapore: Amendments to the Personal Data Protection Act in force

  • The Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) (“PDPA Amendments“) came into effect on 1 February 2021, amending the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), which is the primary legislation regulating the collection, use and disclosure of personal data in Singapore.
  • The PDPA Amendments are intended to be implemented in phases, beginning 1 February 2021. Several of the key amendments are now in force, including the new mandatory data breach notification system.

Mandatory data breach notification

  • The PDPA Amendments introduce a mandatory notification system to the Personal Data Protection Commission (PDPC) when a data breach occurs. This amendment came into force on 1 February 2021.
  • The new regime makes it mandatory for organizations to notify the PDPC of either of the following data breaches:
    • Those that result in or are likely to result in significant harm to whom any personal data affected by a data breach relates to (“Affected Individuals“).
    • Those that are of a significant scale, meaning the involvement of personal data of more than 500 affected individuals.
  • Organizations must also notify affected individuals if the data breach is likely to result in significant harm to them.
  • In terms of timescale, notifications must be made to the PDPC as soon as is practicable, but in any case no later than three calendar days after the day the organization made the determination that a data breach should be notified.
  • The Regulations on Data Breach Notifications set out a prescribed list of personal data and classes of personal data that will be deemed to result in significant harm to affected individuals if such data is compromised in a data breach, which includes the following:
    • Financial information that is not publicly disclosed
    • Specified medical information (amongst other categories)
  • Organizations need to be reviewing and implementing policies and procedures in relation to responding to a data breach and rehearsing their responses ahead of time with their key advisers in order to be better prepared in the event of an attack.

Financial penalty cap to increase to 10% of annual turnover

  • The maximum financial penalty for data protection breaches will be increased to 10% of an organization’s annual turnover in Singapore or SGD 1 million (approx. USD 742,238), whichever is higher.
  • The current cap is SGD 1 million (approx. USD 742,238) and the increase in financial penalties has not yet commenced, with no date yet confirmed.
  • We are expecting the increase to be delayed to early 2022 due to COVID-19.

Singapore: Changes to the Spam Control Act

  • In addition to the PDPA being amended on 1 February 2021, the Spam Control Act was also amended on the same date to cover bulk commercial text messages to instant messaging accounts (such as WeChat, Telegram, etc.).
  • Marketing on instant messaging platforms is growing in popularity and is therefore subject to increasing scrutiny by data privacy regulators.
  • Organizations need to ensure they have policies and procedures in place in relation to marketing to customers using instant messaging platforms and social media accounts.
  • In addition to ensuring compliance with statutory data protection obligations and spam control regulations, each instant messaging platform has its own contractual terms and conditions of use and its own specific rules and procedures around how a business connects with and markets to users on its platform. Some instant messaging platforms prohibit business users from using the “personal communications” version of its platform for business purposes and may have a “business version” of the platform for this purpose.
  • Organizations should be particularly careful around individual employees using personal social media or instant messaging accounts to connect with customers in a business context. In such circumstances, an organization may still have to comply with its obligations under the PDPA in relation to the collection, use and disclosure of such personal data. However, the organization will have limited control over such personal data to enable it to fulfil such obligations if the connection with the customer has been made using an employee’s personal device or accounts rather than through a business account.
  • Such communication via a personal messaging platform and not on the dedicated business version of the platform may also potentially be in breach of such platform’s terms and conditions.
  • Organizations also need to aware of the “Do Not Call” Registry (“DNC Registry“) rules (established under the PDPA) and comply with these.
  • Organizations should only use approved business communications channels to send promotional and advertising communications to customers, after receiving opt-in consent from the customer for the use of the customer’s personal data for this specific purpose.

Singapore: Cyber Security Agency of Singapore (CSA) publishes report on Singapore Cyber Landscape in 2020

  • On 8 July 2021, the CSA published its annual report on the Singapore Cyber Landscape in 2020, looking at cyber breach trends in 2020 and predicting potential threats in 2021 and beyond.
  • In 2020, Singapore witnessed more than 16,000 cases of cyber-crimes, given the backdrop of increased online connectivity as well as accelerated changes to businesses and process transformations during the pandemic. This was a significant rise from 2019, which saw 9,349 cases.


  • In 2020, the CSA received 89 reports of ransomware cases, a significant increase of 154% from 35 cases in 2019. The majority of ransomware cases were reported by Small-and-Medium Enterprises (SMEs) but these cyber criminals were observed to be participating in more targeted “Big Game Hunting” (BGH) whereby large businesses are targeted in hopes of higher ransom payouts.

Phishing incidents

  • While phishing attacks have decreased slightly from 2019, about 47,000 phishing URLs with a Singapore link were still detected.
  • In 2020, the majority of the organizations spoofed were social networking sites, as well as entities in the banking and financial sector.

Cyber hygiene

  • As cyber threats continue to evolve in sophistication, robust cyber security practices remain the best defense. Systems and networks should be regularly patched, and individuals should not reuse credentials across accounts. We should also be wary of cyber threats posed by both phishing and malspam — or malicious spam — emails.
  • It is critical for organizations to engage in data mapping exercises to understand how they collect, store, share and safely delete (or ensure the deletion if in the hands of others) of personal data to minimize the attack surface for cyber-crimes to take place.

Singapore: proposed new licensing framework for cybersecurity service providers

  • The CSA is currently looking at putting in place a licensing framework for cybersecurity service providers.
  • The proposed licensing requirements are anticipated to be simple to minimize the operational costs on businesses, including: (i) ensuring that their key executive officers performing the licensable services are fit and proper persons (the individual has not been convicted of any offence involving fraud, dishonesty or moral turpitude); and (ii) keeping for at least three years basic records on the cybersecurity services that it has provided (this was reduced from the five years that was previously proposed, so as to lighten the administrative requirements on licensed cybersecurity service providers).
  • Organizations need to ensure that the cyber service providers they are using meet the latest standards applicable in the regulatory framework within which they operate and ensure that contracts for services with cyber providers ensure adherence to the highest standards.